I'm with Jouni on recommending against the servers-with-dual-NICs as a general rule.  What I do in a fairly similar situation is scenario 3:

1) configure the ASA with outside, dmz, and pci interfaces

2) use the public, routable IP's on the DMZ servers which face outward for DNS, SMTP, HTTP, etc.

3) use private rfc-1918 address on the inside PCI servers hosting applications and databases

The ASA itself serves as the router between the DMZ and PCI servers.  If the ASA doesn't have enough throughput for that, then you either need a bigger ASA or you are back to the multiple interfaces on the servers scenario.

In scenario 3 you do potentially need 3 kinds of NAT rules:

a) identity NAT between the DMZ and PCI subnets

b) PAT for the PCI servers going out the general internet for patching

c) if you don't have a dual-interface management staging host on-link with the PCI servers, or an IPsec tunnel to the ASA, then you might need some NAT rules to allow limited inbound connections to the PCI servers for maintenance.

A new option, scenario 4, is to dual-stack the DMZ servers with IPv4 and IPv6, which you should be doing anyway, put the PCI servers on v6-only, and just have public addresses all around.

-- Jim Leinweber, WI State Lab of Hygiene

Hi James,

Thakns for your reply and sorry for the delay in response, I was out of town.  A few followup questions:

1) Why are you also against multi homed servers? Please see my response to Joni in terms of how I'd setup the routing tables - it seems simple to me?

2) Some of the DMZ servers would need access to prviate servers (eg: web server needs to talk to DB server).  How would this be handled?  Also, for nightly backups each server would be pushing a full gigabit of traffic to a backup server/SAN on the private network and this would crush the ASA.  If you don't like the idea of multi-homed srevers (that would talk on a private network and not bother the ASA), then the only other option I see is Scenario #1 where I have an inside and outside network with the routed public subnet statically NATed to inside servers.  Thoughts?

thanks again

Wearing my security hat, I dislike dual-homed servers in general, because they potentially provide alternate paths to evade firewall rules.   Wearing my network engineering hat, I agree that running backups through the firewalls tends to be a bottleneck, so my tape servers are dual-homed, just like yours.  And my app servers tend to be on the same subnet as the DB servers, to keep that traffic from going through the firewall too.  PCI fanatics will cringe at that, and recommend buying more and higher performance firewall hardware.   I'd need a bigger budget.

Using public DMZ and private PCI addresses without dual-homing, since both subnets are directly attached to the ASA, you simply set up identity NAT between the DMZ subnet and PCI subnet and let them talk using whatever access-list rules seem approriate.   The ASA will automatically route between directly attached subnets; you only need route statements for stuff that isn't directly attached.

On the site to site IPsec VPN tunnel, once again, just have an identity NAT rule covering the two ends, and they'll talk to each other fine.  I usually seem to need egress list rules permitting the tunnel traffic too.

-- JIm L

Dear Jouni,

Thank you very much vor your informative response.  My apologies for taking a couple of days to respond as I was out of town.

I have a few follow-up questions.

Scenario 1

1) LAN users (on the private IP range) will need to access the servers based on their public IP address.  Using a split-DNS is not an option and I'd prefer no to play aroudn using DNS rewrites because sometimes the public IP address is used directly.  You mentioned that there can be some NAT rules configured to bypass this? Can you please elaborate on that? I'll be using the GUI ASDM interrface to configure this.  Is it a matter of simply checking the "Enable traffic between two or more hosts connected to the same interface" option?

2) If I wanted to setup a site-to-site IPSEC VPN to a mirror site hosted in another datacentre does this complicate anything in this scenario? Basically the private IP range at this facility will need to be able to communicate to the private IP range at the mirror facility.  Access between the two should be pretty free, but we may want to implement a few basic firewall rules.  Of course we would not want to NAT this communication.

3) If I wanted to setup a Client VPN (using the Cisco VPN client) and get an IP address on the same private network for management purposes, would this complicate anything? As per the site-to-site scenario above we might want to implement a few basic firewall rules but generally it would be full access.

Scenario 2:

1) I am leaning towards this scenario because it seems the simplest to me.  I am concerned however that you do not recommend multi-homed servers - why is this? As I see it, I would configure the routing table on each server to route any prviate IP addresses to the local network router (not an ASA, just the 3750G that the private interface on the server is connected to).  All other routes would go to the ASA.  This seems very simple to me?

2) Similar to the details in Scenario #1 question 2, what happens if we want to setup a site-to-site IPSEC VPN link to a mirror site in a different datacenter? I would want to communicate from the private subnet on this datacentre to the prviate range on the mirror datacentre.  I assume I would also have to update the routing table on each server to also send any traffic to the private-range on the mirror site to the ASA so that it can send it across the VPN link?  I suppose this means the ASA would then need an interface & IP address on the private network too?

3) Similar to Scenario #1, questio 3, what happens if we want to setup a client VPN (using the cisco VPN client) and get an IP address on the private range? Mainly for admin related tasks.  Assume the ASA would then need an Interface & IP address on the private network?

Thanks again for all your assistance, looking forward to your responses.

Best

Hi,

Scenario 1

1.) I think in some cases people try to overcome the fact that a server is configured with a private IP address locally and a public IP address with Static NAT on the firewall by also configuring the Private to Public Static NAT from the DMZ towards the LAN so that the DNS reply wont be a problem.

I personally avoid doing this as it seems to me again a configuration that will make the ASA configuration more complicated than it has to be. I havent had to resort to this kinda of NAT setup personally as we have usually corrected the situation by other means.

2.) This should be no problem at all. You can define different NAT rules for the same hosts/servers. Typically with L2L VPN or Client VPN your NAT0 / NAT Exempt traffic going to the VPN. This will always override the Static NAT configuration. At the sametime the NAT0 / NAT Exempt is only configured to apply for the VPN connections so it doesnt interfere with the Static NAT operation to public network in any way. I can't give you any specific answers (though you naturally may ask about them when you reach that point here on the forums ) But I dont see a problem related to this situation.

3.) Can you clarify this a bit? What do you mean with the same private network? Or are you just generally speaking about the networks behind the firewall? There should be no problem providing VPN Client connectivity to the servers. NAT and VPN configurations depends on how you want to implement the setup.

In both VPN Client and Site to Site VPN (L2L VPN) you have atleast a couple of options how to approach controlling the traffic that comes from the VPN connection

• You can apply a Filter ACL on the VPN connection that only applies to the connections of the said VPN connection. The configuration format is different for Client and Site to Site connections.
  
• You can change the default behaviour of the ASA so that it DOESNT automatically allow all connections coming from a VPN connection through the "outside" interface of the firewall (where the VPN connections usually come from) This way you can controll all traffic for VPNs in your "outside" interface ACL. I tend to like this setup more than the previous even though in certain places it might "bloat" the "outside" interface ACL. Still it keeps the ACL setup consistent
  

Scenario 2

1.) I guess my opinion on this is more related to my own job and our companys/customers roles. Since I mostly manage firewall and vpn environments in my work I tend to have almost nothing to do with the actual server side either hosted by us or at customer premises. In several cases I just have witnessed what not knowing how routing works can cause for the customer network. People managing the servers have made the setup without consulting anyone managing the network and suddenly something doesnt work and ofcourse its the firewalls fault and people managing the firewalls Usually we end up noticing that there is asymmetric routing and connections get blocked. This is my main reason

Naturally if we are talking about a case where either a single person or a small group of people handle both the IT and the Networking this might be ok and not a problem at all. When you know how the setup is and what you have to take into consideration regarding the network this might be fine. So in your case it might not be a problem at all. Though there is always a possibility that you will run into some problems.

Also not overloading the ASA with heavy traffic in this case it also a good point to go for this.

2.) If you are saying that the traffic coming from the VPN connections needs to reach the servers through the private IP address range interface and not the public then you will simply need to have a route from the ASA to that network. You dont necesarily need a direct interface on the ASA for that network. You could route it through some existing ASA interface and the LAN router could handle it. It all depends on the whole setup.

3.) Again I dont see a problem with this. It comes down to your whole network setup on how you provide the connection to the servers private IP address interface through the VPN connection. Just make sure the server has the route to the VPN Pool network through the correct interface which in this case would be the private IP address interface of the server.

Hopefully the above information has been helfpull

Do ask more if I missed something totally (Still a bit tired)

- Jouni

Hi,

You could add this configuration line

crypto map

Notice that this configuration lines

This will create a route to your ASAs routing table for the remote 192.168.200.0/24 network automatically based on the L2L VPN configuration ACL. Its called Reverse Route Injection

EDIT: Other option to do this would probably be to simply add a Static route for the network 192.168.200.0/24 pointing to your public Internet gateway. I think this is what the "reverse-route" will basicly do also.

Hope this helps

- Jouni

Hi Jouni,

You're amazing, thank you! that worked like a charm - although I dont see it putting a static route in the static route section of ASDM but as soon as I enabled reverse route in ASDM for the crypto map it worked .

One curious question, however.  If I try to ping directy form the ASA I can't ping anything thats on the other side of the site-to-site link. i.e. nothing on 192.168.200.0/24.  However,I can ping anything locally on 192.168.0.0/16

Only thing I can think of is that the crypto map not matching when the source is the asa?

Hi,

If youre looking at Static Routes from the ASDM I'd imagine it wont show the dynamically added Static route (well that sounded funny ) in the configuration section atleast.

However if you look at the actual routing table you should see the route. Or optionally use the "show route" on the CLI then the ASA should list the added route.

The reason why you cant ping remote hosts directly from the ASA is because the ASA would use its "outside" interface IP address as the source. So you would basically need to have the "outside" interface IP address in the crypto map ACL on both sites configurations and NAT configurations for it to work. (I guess only the remote sites NAT configurations)

I personally havent done this that many times. I have included the ASA "outside" IP address to the crypto map ACL in occasions where I want to encrypt the Syslog traffic sent by the ASA.

- Jouni

Hi Jouni,

Again, thanks for your informative answer. 

I just disabled reverse-route on the crypto map and put in a static route and that also works so this now makes sense. 

However, I started thinking.  I find this route a little confusing - I'm sending a private range to the outside world.  How does this tell the asa to send it through the tunnel? I'm assuming the crypto map will see an IP with source & destination that matches its interesting traffic and thus pick it up and take it over the VPN tunnel?

But what happens with this route if an internal IP address that is not part of the crypo map source tries to access the remote destination?  Will this route just try to send a private internal IP out over the internet to my internet gateway?

Just want to make sure I'm not missing something here... ?

Thanks

Configuring the static route was just something I was thinking for testing purposes.

I guess the route is there either way. Either through the "reverse-route" or "route" command.

I have never tested with the "reverse-route" configuration would anything special happen to traffic from local network (that isnt part of the L2L VPN configurations) to the remote network.

I'd imagine at the least this would be dropped somewhere on the ISP network if it got through the ASA.

Then again if you dont want it to get that far you can always add some lines to your local ASA interface ACLs. You would first have to allow traffic to all the required private network ranges and then block all the rest of the traffic to any of the 3 major private address ranges.

- Jouni